Drupal is a registered trademark of Dries Buytaert
drupal 10.6.12 Update released for Drupal core (10.6.12)! drupal 11.3.13 Update released for Drupal core (11.3.13)! drupal 10.6.11 Update released for Drupal core (10.6.11)! drupal 11.3.12 Update released for Drupal core (11.3.12)! drupal 11.2.14 Update released for Drupal core (11.2.14)! drupal 10.5.12 Update released for Drupal core (10.5.12)! cms 2.1.3 Update released for Drupal core (2.1.3)! drupal 10.5.11 Update released for Drupal core (10.5.11)! drupal 11.3.11 Update released for Drupal core (11.3.11)! drupal 11.2.13 Update released for Drupal core (11.2.13)! drupal 10.6.10 Update released for Drupal core (10.6.10)! cms 2.1.2 Update released for Drupal core (2.1.2)! drupal 11.1.10 Update released for Drupal core (11.1.10)! drupal 10.5.10 Update released for Drupal core (10.5.10)! drupal 10.4.10 Update released for Drupal core (10.4.10)! drupal 11.2.12 Update released for Drupal core (11.2.12)! drupal 11.3.10 Update released for Drupal core (11.3.10)! drupal 10.6.9 Update released for Drupal core (10.6.9)! drupal 10.6.8 Update released for Drupal core (10.6.8)! drupal 11.3.9 Update released for Drupal core (11.3.9)!
← All modules

cybersource_sop

No security coverage
View on drupal.org

Cybersource SOP lets a Drupal Commerce shop take credit and debit card payments through Cybersource, using Cybersource Secure Acceptance in Silent Order POST (SOP) mode. Shoppers enter their card details on your own styled checkout page, but the card data is sent straight from their browser to Cybersource and never touches your server. Cybersource returns a digitally signed result, which the module verifies before recording the payment against the order.

Features

Adds a Cybersource (Secure Acceptance SOP) payment gateway to Drupal Commerce. Use it when you run Drupal Commerce, your processor is Cybersource, and you want card fields on your own checkout (rather than a hosted redirect) while keeping card data off your server.

  • Polished on-page card form with live brand detection (Visa, Mastercard, Maestro, American Express, Discover, Diners Club, JCB) and inline Luhn, expiry and CVV validation — no card-type dropdown.
  • Card number and CVV are POSTed directly from the browser to Cybersource; your server never receives or stores them.
  • Replies are rejected unless their HMAC-SHA256 signature verifies, and every field the payment logic acts on must be covered by that signature.
  • The recorded payment amount and currency always come from the order, never from the returned POST (fail-closed on any mismatch).
  • Replay guard: the same Cybersource transaction is never recorded twice.
  • Supports Authorization and Sale (authorize + capture) transaction types.
  • Decision Manager review outcomes are recorded as a pending authorization and the order is held, not auto-completed.
  • Multi-currency credentials: one test profile for all currencies, one live profile per currency.
  • Security-key expiry monitoring on the Status report, warning you before a key expires.
  • Every gateway response is written to the order audit log (never card data).

Post-Installation

There is no new content type — configuration is the gateway settings plus an external credentials file. Credentials are deliberately kept out of Drupal configuration (never written to the database or exported to config).

  1. Configure Drupal's private filesystem (the file_private_path setting in settings.php), pointing it at a directory outside the web root.
  2. Copy cybersource.credentials.example.yml to private://keys/cybersource.yml, fill in your Secure Acceptance profile values (profile_id, access_key, secret_key), and make it readable by the web server user only.
  3. Go to Administration » Commerce » Configuration » Payment gateways and add a "Cybersource (Secure Acceptance SOP)" gateway; set the mode (test or live), transaction type and locale. The gateway panel reports whether the credentials file is present.
  4. In the Cybersource Business Center, on the matching Secure Acceptance profile: choose the Silent Order POST integration method, enable card payments and your currencies, allow the merchant to override the customer response page, then activate the profile and generate a security key.

Additional Requirements

  • Drupal Commerce — the commerce_payment, commerce_order, commerce_price, commerce_log,
    commerce_cart and commerce_checkout sub-modules.
  • A Cybersource Secure Acceptance Silent Order POST profile (profile_id / access_key / secret_key) for each environment and currency you take payments in.
  • Drupal's private file system configured.

No third-party PHP libraries are required; request signing uses PHP's built-in hash_hmac().

Recommended modules/libraries

None are required. Because Silent Order POST renders card fields in your checkout pld serve a strict Content-Security-Policy on checkout pages and lockdown who can inject markup. A security-header module such as Security Kit (SecKit) can help you set this up.

Similar projects

Commerce CyberSource Flex Microform (iframe-hosted fields over the REST API). This module instead usesSecure Acceptance Silent Order POST, keeps credentials in the private filesystem (resolved per mode and currency) rather than in site configuration, and ships an on-page card form with live validation. Choose this module if you specifically want the Secure Acceptance SOP flow.

Supporting this Module

Maintained by Graith Internet. Please file bug reports and feature requests in the project's issue queue.

Community Documentation

Full configuration, security-hardening and testing notes are in the module's mo and walkthrough may be linked here later.)

PCI scope

Because Silent Order POST renders card fields in your checkout page, your card-data environment is typically assessed as PCI DSS SAQ A-EP (not the lighter SAQ A used by hosted-page or iframe integrations). Confirm your PCI scope and SAQ eligibility witnd and/or QSA. This module is not a PCI compliance tool and ships no official PCIcontent.

Activity

Total releases
2
First release
Jun 2026
Latest release
23 hours ago
Release cadence
0 days
Stability
50% stable

Releases

Version Type Release date
1.0.0 Stable Jun 30, 2026
1.0.x-dev Dev Jun 30, 2026